Envelope vs Header FROM

Part 1 - The Envelope

It contains the following information:

• Sender's name and address - tag 1 in the image. If a package cannot be delivered, the post office will use this address to return it back to the sender.
• Recipients name and address - tag 2 in the image
• A stamp by the post office containing the time and the name of the town - tag 3 in the image

• It is very easy to forge the sender's name and company name
• The post office will deliver the message without opening the envelope
• The post office will stamp the letter on the upper right hand corner with current date and the location where it came from
• If the letter goes through multiple post offices, all of them have the option of stamping the envelope

Part 2 - Actual Letter

This contains the following information:

• A header towards the top - tag 1 in the image
• This header contain sender's information (tag 2) and possibly a date when the letter was composed. (tag 3)
• Actual body, which appears at the bottom

• Notice the name of the sender on the actual letter is Jack Smith, which is different than what was specified on the envelope
• If Mary did not look at the envelope, she would have thought the letter was sent by Jack Smith who also works for ABC, Inc., the same company that Mary works for
• The sender could have easily put an invalid date as well as their contact information in attempt to make her believe Jack Smith is the sender
• If Mary is not careful and does not detect any fraud, she may take action that should would not have taken otherwise.

Part 1 - The Envelope

Envelope is the communication between and SMTP Client and Server. See a sample envelope on the right side. Messages sent by client are indicated by C: and server's responses are indicated by S: Following is true with an email envelope.

• The client and server first greet each other with a HELO command.
• Client sends a MAIL FROM command representing the sender's email address. This value is also used to send a non-delivery report (NDR) when message cannot be delivered.
• The server response with a 250 OK if this sender is acceptable.
• Next, the client sends one or more recipient's email address using the RCPT TO command.
• Again, the server responds with a 250 OK, provided the recipient is acceptable. If the server returns a rejection code, the sender will generate an NDR. In this case, the actual message will never get sent to the receiving SMTP server.

• It is very easy to specify a fake/forged address in the MAIL FROM command
• The receiving server has the ability to check a few things, such as sender's IP address, MX record and FQDN before accepting any email.

Sample Envelope

S: 220 foo.com Service Ready
C: HELO bar.com
S: 250 OK
C: MAIL FROM:<james.baker@xyzinc.com>
S: 250 OK
C: RCPT TO:<mary.jane@abcinc.com>
S: 250 OK
C: DATA
S: 354 Start mail input;
C: Actual email is sent here
C: .
S: 250 OK
C: QUIT

Part 2 - Actual Email

When users receive the email, they do not see the envelope. Email clients only display the "Letter". This message must conform to rules specified in RFC 5322.

• An email is divided into at least two parts: Header and Body
• Header is used to contain some meta data about the message, such as Sender's name and email, date it was composed, subject and others.
• The sender's email address and name is specified in the FROM header and its value looks like Jack Smith <jack.smith@abcinc.com>.

• The sender's email address can be different from the envelope's MAIL FROM
• Since an email client will only display the FROM header (RFC5322.FROM), the user will never know what was the value for the RFC5321.MAILFROM in the envelope.

Envelope From (RFC5321.MAIL FROM)

• Used by the SMTP server to generate NDR
• Used by SPF filter to determine if it came from the designated IP address.

Header From (RFC5322.FROM)

• Used by the email client to display information in the From field.
• Used by DMARC filter to confirm if the message is authentic